Cybercriminals have upped their game with a new lethal weapon in their arsenal. The Symantec Threat Hunter team recently discovered Betruger, a multi-function custom backdoor deployed by RansomHub affiliates. Found on March 20, 2025, this isn’t your average malware. It’s an all-in-one nightmare.
Betruger does it all. Screenshot capture? Check. Credential theft? You bet. Keylogging, network scanning, privilege escalation—the works. Instead of using multiple tools and leaving digital breadcrumbs everywhere, attackers now deploy this single solution. Convenient for them. Terrible for everyone else.
One-stop hacking shop—less footprint, more devastation. The digital equivalent of a Swiss Army knife from hell.
The backdoor masquerades as legitimate software. Mailer.exe or turbomailer.exe might sound innocent enough, but they’re wolves in sheep’s clothing. Once installed, they upload stolen data to command and control servers faster than you can say “ransomware.” If your system shows unusual behavior like frequent pop-ups or browser redirects, you might already be infected.
RansomHub, the group behind this mess, has been wreaking havoc since February 2024. Also tracked as Water Bakunawa (because apparently every hacker group needs a cool codename), they target enterprises with deep pockets. Their business model? Offering affiliates bigger cuts of the ransom payments. Capitalism at its finest, folks. The operation is managed by a threat actor known as Greenbottle who coordinates the ransomware campaigns.
Their attack tactics aren’t particularly innovative—spear-phishing, password spraying, vulnerability exploitation—but they’re effective. The group is known for exploiting the Zerologon vulnerability (CVE-2020-1472) as one of their primary methods for gaining initial access. What’s worse, they employ double extortion: encrypting your data AND threatening to leak it. Nice people, really.
For their dirty work, RansomHub uses a mix of malicious and legitimate tools. PsExec, PowerShell scripts, Python for SSH connections. They even disable security software with batch files and signed drivers. Talk about bringing a gun to a knife fight.
Their victim list reads like a who’s who of organizations with money: Change Healthcare, Bologna FC, and targets across multiple countries including the US, Canada, and Russia. Government agencies, private companies, NGOs—no one’s safe.
The message is clear: RansomHub means business, and Betruger is their new favorite toy.
